Topic: Multiple IP addresses on one physical interface routed internally to hosts

[f21970]

Hi folks,
Please have patience with me and speak in simple language as I'm a total newbie with sme!

I have an SME server connecting my internal clients to the internet.  I need to enable routing from multiple external addresses to multiple internal hosts. 
e.g. I have an additional external ip address and want clients to be able to attach to that ip address and route through to a terminal server farm internally. 
I have around 3 services which sit behind the SME which I need to provide external access to.

I haven't a clue where to start.  Please help me!

[janet]

f21970

sme server only supports one external IP

[janet]

f21970

Not sure what you exactly want to do, but you can proxypass many domains (via sme server) to different internal or external servers

[f21970]

Is it not possible to configure virtual ethernet cards?  I'm certain I read about it in these forums, but couldn't quite follow the logic of how it's done.

[f21970]

What's proxypass?  I've got an external ip address 10.8.10.1 (for instance) to which I route traffic for webmail.  So the client would type in 10.8.10.1/webmail to access their webmail.  I need to be able enable clients access from the big wide world to a couple of terminal server farms which are hosted internally, and for file access to a server which transmits via secure client on port 45678 (for instance).

[Stefano]

then you need the port-forward panel..

again, as mary said, it will work only for the SME's external ip

anyway, as you define yourself as a newbie, please take some time to read carefully the documentation

hth
ciao
Stefano

[f21970]

So, if I bring all the traffic into one ip address attached to one interface on the SME server, then create port forwarding rules which redirect the traffic to the relevant internal addresses, this then redirects the traffic dependant upon which port it come in on?

[Stefano]

yes..

you can forward
external_ip:44444 to internal_ip1:3389
external_ip:44445 to internal_ip2:3389
external_ip:44446 to internal_ip3:3389

and so on..

Ciao
Stefano

[janet]

f21970

...this then redirects the traffic dependant upon which port it come in on?

yes, see Port Forwarding panel in http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11


re proxypass which is really designed to forward http port 80 and https port 443, see
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass

[janet]

f21970

Rather than using different external IPs, you can setup multiple virtual domains and use those to connect to different services or hosts.
sme supports unlimited virtual domains on the one external IP, and you can configure the domains panel to redirect where the domain finds its content, or create custom templates to redirect requests (for more specific control).

[f21970]

yes..

you can forward
external_ip:44444 to internal_ip1:3389
external_ip:44445 to internal_ip2:3389
external_ip:44446 to internal_ip3:3389

and so on..

Ciao
Stefano

What happens in the case of two Terminal Server farms running inside the network that I want to bring people through to?  I've got one which should only be used by teachers, and one only by students.  Would I have to give out a registry hack to run to change the port for RDP for one group?

[f21970]

f21970

Rather than using different external IPs, you can setup multiple virtual domains and use those to connect to different services or hosts.
sme supports unlimited virtual domains on the one external IP, and you can configure the domains panel to redirect where the domain finds its content, or create custom templates to redirect requests (for more specific control).

Thanks Mary, you're being brilliant.  I've had a look at the virtual domains section in the user panel, and can only see that I can forward to a website, whereas I need to forward to a server service...  I'm not certain what you mean by custom templates.

[Tib]

f21970

Here is an example

External IP address 203.215.236.25 ---> SME ----> App1 192.168.0.20:562
                                                              -----> App2 192.168.0.30:8080
                                                             -----> App3 192.168.0.40:485

So if you want to access App1 from net then you would enter 203.215.236.25:562 ... you would get the App1 machine here
App2 would be 203.215.236.25:8080 ... and so on.

As long as the relevant ports are forwarded to the correct machine.
You can only port forward a particular port to one machine ... you cannot port forward eg: port8080 to two different IP addresses


Regards,

Tib

[f21970]

Hi Tib,

Thanks for the advice - so, for instance I would add:

Protocol Source Port(s) Destination Host IP Address Destination Port(s) Action
TCP        3389             192.168.110.22              3389                        Remove
TCP        12345            192.168.100.5              12345                       Remove

Have I got the right idea?

[Tib]

f21970

That is correct


Regards,

Tib

[JoshuaR]

Protocol Source Port(s) Destination Host IP Address Destination Port(s) Action
TCP        3389             192.168.110.22              3389                        Remove
TCP        12345            192.168.100.5              12345                       Remove

Yes you could do that, but just to be clear, the source and destination ports don't have to be the same (as Stefano wrote).

So, you are not limited to only forwarding the external 3389 port to one TS (in fact I wouldn't recommend it), you could in fact have your teacher TS as 192.168.1.5, and your student TS as 192.168.1.6 
With the diagram below, your teachers would RDP to yourexternalip:1234 and your students would RDP to yourexternalip:2345   and this will forward either one to the correct 3389 port on the appropriate terminal server

you could forward like this:

         Source Port(s) Destination Host IP Address     Destination Port(s)           Action
TCP       1234                  192.168.1.5                         3389                        Remove
TCP       2345                   192.168.1.6                        3389                        Remove

hope that helps,

--Josh   

[f21970]

Hi all,

You've all been such great assistance!  I've tried the recommendations as follows:
1. forwarded subdomain from ISP to external IP address of SME server
2. forwarded the relevant port on the SME server to internal address of terminal server
3. attempted to connect from home via RDP to subdomain

Alas, no joy - RDP reports that domain is not reachable.  I've run a tracert & can see the subdomain reaching the external IP address of the SME server, but it mustn't be getting through. 

Anyone know what logs or such I can look in to determine what is happening to the traffic?  Or have I missed out a vital stage?

Again, I appeal, please speak in simple language to me!

[JoshuaR]

Ok, well the theory in what you've done sounds correct, so the problem most likely is a small step along the way.
So from what you're written I gather you have:

1. forwarded subdomain from ISP to external IP address of SME server

So, sme.yourserver.com is now pointing to your SME external IP, I take it you've given it time to propagate the DNS entry?

2. forwarded the relevant port on the SME server to internal address of terminal server

So, you're incoming port is set up to forward to the IP internally of the terminal server with the destination port 3389? (as with my example above) Try forwarding both the TCP and UDP ports with the same source and destination if you haven't already.

3. attempted to connect from home via RDP to subdomain

That's right, I have a setup similar to this and it works. So, pretty much you'll just have to work back and figure it out...can you rdp to you terminal server internally? If you try to rdp to your server from home, does it work if you rdp to the external ip instead of the dns entry you made?
Check everything, remember to connect you will have to rdp with the format yourhostnameorip:1234  where 1234 is the source port you set up.

[f21970]

Hi again Joshua,

I'll change config so I forward the UDP ports as well.  I'm just trying it currently on standard RDP port incoming and forwarded.  I can connect via RDP internally to the terminal server, but due to restrictions on the Local Authority firewall I cannot test RDP externally to the server - therefore I have to try at home! I haven't tried to RDP to the external SME server IP address as tracert indicated that traffic was passing fine from the domain name to the relevant IP address, but I guess it's worth a try!

I'll have another go tonight and let you know (keeping fingers crossed!)

Kind Regards,
Amanda

[MSmith]

OK, maybe I'm missing something here, but if the OP has multiple outward-facing IP addresses, why not put a switch in *front* of the SME server and assign another device (or several) the desired public IP(s)?

[JoshuaR]

OK, maybe I'm missing something here, but if the OP has multiple outward-facing IP addresses, why not put a switch in *front* of the SME server and assign another device (or several) the desired public IP(s)?

From what I understand the OP is using SME as a firewall for the TS.
The above port forwarding method will keep SME in the 'front line' except for passing through the RDP traffic

[Stefano]

If OP has many IP adresses, I suggest him to change SME to server-only mode and put on the edge something that can work with multiple IPs, like M0n0wall or IpCop.. in this way he could manage multiple IPs, traffic shaping and other things that you can't achieve (easily) with SME

my 2c
Stefano

[f21970]

That's an interesting thought Stephano - I'm kinda coming to the same conclusion.  Passing through traffic to the terminal server is proving a tricky problem, and exchange will likely to be even worse - there doesn't seem to be any inbuilt support for these functions.  Currently, the SME server is acting as server/gateway, running dansguardian to filter traffic. 

It also currently runs email, which I will be changing in the next 12 months to Exchange (boo hiss), and users have access to their webmail remotely. 

How about the scenario where I leave the SME server in server/gateway mode, and additionally attach a box running IP cop with a separate IP address to the internet & LAN, through which I route the traffic to the internal servers?

If I change the SME server to be server only, and use IPcop (which I have had some scant experience with) as the external gateway do you see any potential implications? 

[Stefano]

That's an interesting thought Stephano - I'm kinda coming to the same conclusion.  Passing through traffic to the terminal server is proving a tricky problem, and exchange will likely to be even worse

I agree

- there doesn't seem to be any inbuilt support for these functions. 

it's by design.. SME offers a limited firewall configuration because it's not a firewall

Currently, the SME server is acting as server/gateway, running dansguardian to filter traffic. 
How about the scenario where I leave the SME server in server/gateway mode, and additionally attach a box running IP cop with a separate IP address to the internet & LAN, through which I route the traffic to the internal servers?

it could be a good solution.. in this way you can use SME as a filter for internet navigation

If I change the SME server to be server only, and use IPcop (which I have had some scant experience with) as the external gateway do you see any potential implications? 

you should "move" dansguardian filtering on IpCop
then, as far as you don't expose SME services directly on wan, there's nothing to fear about

It also currently runs email, which I will be changing in the next 12 months to Exchange (boo hiss), and users have access to their webmail remotely. 

exponge? why?

Ciao
Stefano

[janet]

f21970

1. forwarded subdomain from ISP to external IP address of SME server
2. forwarded the relevant port on the SME server to internal address of terminal server.......

I'm not sure about this, but do you also need to add those subdomains to the Domains panel in sme server manager.

By "forwarded subdomain", do you mean configured external DNS records to point that domain at sme servers external IP ?

[f21970]

Hi Mary,
Yes I do mean configured external DNS record to point at the SME servers external IP. 

[JoshuaR]

I'm not sure about this, but do you also need to add those subdomains to the Domains panel in sme server manager.

I recently set up a record with my ISP to point a subdomain to SME, and I didn't have to add anything to SME for me to be able to connect to it.

exchange will likely to be even worse

On a side note, SME has the functionality to delegate a separate internal mail server (like Exchange) with the click of a button in the server-manager.  http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Delivery

[f21970]

Hi Joshua,

The issue with Exchange will not be internal access, but giving access to it from the big wide world.  I think my best route is to have a little dabble with IPCop and see where that leads!

Amanda

[JoshuaR]

No worries, IPcop may very well suit your needs. But to clarify, the link I posted shows that the option mentioned delegates the mx traffic to the internal server--giving access to it from the 'big wide world' .

All the best,
Josh

[f21970]

I don't think I explained what I meant very well!  I meant external access for individuals to their Exchange email, not delivery of mail to/from the big wide world!

[JoshuaR]

Exchange over http or OWA? can also be done